CVE-2021-46955 is a vulnerability identified in the Linux kernel's openvswitch (OVS) module, specifically related to the handling of IPv4 packet fragmentation. The flaw manifests as a stack out-of-bounds (OOB) read during the fragmentation process of IPv4 packets. The vulnerability was detected when running openvswitch on kernels built with Kernel Address Sanitizer (KASAN), which revealed a stack OOB read error in the function ip_do_fragment. The root cause is the misuse of a temporary variable within the ovs_fragment function: a pointer to a struct dst_entry is incorrectly treated as a pointer to a struct rtable, leading to out-of-bounds stack memory access when accessing members like rt_mtu_locked. This improper type usage causes the kernel to read beyond the allocated stack frame, potentially leading to undefined behavior or kernel crashes. The vulnerability is triggered during the fragmentation of IPv4 packets, and the call stack traces through several kernel networking functions including ip_skb_dst_mtu and ip_mtu_locked. The issue was fixed by changing the temporary variable used for IPv4 packets in ovs_fragment to correctly mirror the approach used for IPv6 packets, preventing the OOB read. This vulnerability affects multiple Linux kernel versions, particularly those incorporating openvswitch and handling IPv4 fragmentation. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.

For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with openvswitch enabled, especially in environments where IPv4 packet fragmentation is common, such as data centers, cloud providers, and enterprises using virtualized network overlays. The out-of-bounds read could lead to kernel crashes (denial of service), potentially disrupting critical network services and impacting availability. While the vulnerability is a read-type memory error, it could be leveraged in complex attack chains to leak sensitive kernel memory or escalate privileges if combined with other vulnerabilities, though no direct exploit is known. Disruption of network functions in virtualized environments could affect service continuity for European businesses relying on Linux-based infrastructure. Given the widespread use of Linux and openvswitch in European telecom, cloud, and enterprise sectors, the vulnerability could have broad operational impacts if exploited or triggered unintentionally.

European organizations should prioritize updating their Linux kernels to versions where this vulnerability is patched, particularly those using openvswitch for network virtualization. Kernel updates should be applied promptly from trusted vendor sources or distributions. Additionally, organizations should audit their use of openvswitch and IPv4 fragmentation configurations to minimize unnecessary fragmentation where possible. Employing kernel hardening techniques such as enabling KASAN in testing environments can help detect similar issues early. Network segmentation and strict filtering of fragmented IPv4 packets at perimeter devices can reduce exposure. Monitoring kernel logs for unusual crashes or KASAN reports related to ip_do_fragment or ovs_fragment functions can aid in early detection. For critical infrastructure, consider deploying intrusion detection systems capable of identifying anomalous fragmentation patterns. Finally, maintain an up-to-date inventory of Linux kernel versions and openvswitch deployments to ensure timely patch management.